Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos_7_rhel_7_change_openssh_port_number_with_selinux_enabled [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== CentOS 7 / RHEL 7 : change OpenSSH port number with SELINUX enabled ​ ======
 +
 +The tutorial will explain about how to change default ssh port number in OpenSSH Server on CentOS 7 and RHEL 7 . We will change the SSH default port no. 22 to our desired number and we will keep SELINUX enabled. We will also add new firewalld rule with respect to new ssh port number.
 +
 +Generally for security point of view , we change the default ssh port number 22 to any other port number. Always be careful while selecting new port number. We should select the number above the "well known port number"​ that is above port number 1024 . Also we should not use same application /Utility specific default port number, for example just as we use in tomcat port 8080, MySQL 3306. In simple words, select the port number above 1024 as well as should not conflict with any application/​utility/​program etc.
 +
 +===== Change SSH port number =====
 +
 +First take the backup of sshd_config file.And then go for edit.
 +<sxh bash>
 +cp -Rfa /​etc/​ssh/​sshd_config /​etc/​ssh/​sshd_config.orig.$(date +%F)
 +</​sxh>​
 +
 +Now edit the file /​etc/​ssh/​sshd_config. Search for line #Port 22 or Port 22 .
 +
 +**Note:** The # is used for commenting the line. But because ssh has well known port number 22 (below 1024). It will by default listen on port number 22.
 +
 +Remove # from line Port 22. And the change 22 to new port number, here we have selected 2292 .
 +<sxh bash>
 +vi /​etc/​ssh/​sshd_config
 +[...]
 +Port 2292
 +</​sxh>​
 +
 +===== SELINUX for SSH =====
 +
 +By default SELINUX only allow port no. 22 for ssh. Now add new port context 2292.
 +
 +**Note:** Replace 2292 in case you have selected different port number
 +<sxh bash>
 +semanage port -a -t ssh_port_t -p tcp 2292
 +</​sxh>​
 +
 +Now check once the port context for ssh
 +<sxh bash>
 +semanage port -l | grep ssh
 +</​sxh>​
 +
 +Below given is output from our server
 +<sxh bash>
 +semanage port -l | grep ssh
 +ssh_port_t ​                    ​tcp ​     2292, 22
 +</​sxh>​
 +
 +Now Restart the SSH service
 +<sxh bash>
 +systemctl restart sshd.service
 +</​sxh>​
 +
 +===== Allow port 2292 with firewalld =====
 +
 +
 +Now allow port number 2292 for ssh. Run the below given command. It will permanently add the new firewalld rule in public zone for port 2292 with TCP protocol.
 +<sxh bash>
 +firewall-cmd --permanent --zone=public --add-port=2292/​tcp
 +</​sxh>​
 +
 +Reload firewalld
 +<sxh bash>
 +firewall-cmd --reload
 +</​sxh>​
 +
 +===== Check listening ssh port with ss command =====
 +
 +
 +With ss command, you can find the listening port for ssh. Use below command for this
 +<sxh bash>
 +ss -tnlp|grep ssh
 +</​sxh>​
 +
 +Below given output is reference from our server
 +<sxh bash>
 +ss -tnlp|grep ssh
 +LISTEN ​    ​0 ​     128                       ​*:​2292 ​                    ​*:​* ​     users:​(("​sshd",​2786,​3))
 +LISTEN ​    ​0 ​     128                      :::​2292 ​                   :::*      users:​(("​sshd",​2786,​4))
 +</​sxh>​
 +
 +Try to do ssh access to server by using port no. 2292 from remote client.
 +<sxh bash>
 +ssh -p 2292 root@192.168.56.101
 +</​sxh>​
 +
 +  * Change 192.168.56.101 with your server ip address.
 +  * Change 2292 with your new ssh port number as you set while reading this post.
 +  * Change root with user name which is allowed to get ssh access in your server.
 +
 +====== References ======
 + - http://​sharadchhetri.com/​2014/​10/​15/​centos-7-rhel-7-change-openssh-port-number-selinux-enabled/​